A REGULATORY GAP ANALYSIS: THE IDEAL TOOL TO ACHIEVE REGULATORY COMPLIANCE

ott regulation

REGULATORY GAP ANALYSIS

THE IDEAL TOOL TO ACHIEVE REGULATORY COMPLIANCE

From 21 December 2020, all providers of OTT services that offer their product in an EU member state are required to comply with the requirements of the European Electronic Communications Code (EECC), the Directive on privacy and electronic communications (ePrivacy Directive) and other European legal acts as well as the respective national legal peculiarities (see our collection of laws and regulations here).
The new legal requirements must be analysed and compliance measures be implemented under a systematic and structured approach. We thus recommend carrying out a gap analysis consisting of the seven steps described below. Far-reaching legal harmonisation basically allows for a Union-wide approach, which, however, must be supplemented by a process for implementing the respective national member state requirements.

Practical advice: A significant amount of the required work to ensure OTT providers’ compliance under the new regulatory regime is the same for every enterprise and does not require a customized approach. Therefore, making use of external support can create significant economies of scale that translate into both lower costs and substantial time savings.
For this very purpose, Schalast Rechtsanwälte and other renowned law firms have created an international network of law firms to provide clients with a one-stop-shop compliance solution for all EU member states.

Expand the headings below to find step-by-step instructions. While these steps represent a logical sequence of actions, their order should not be seen as unalterable. In particular where time is of the essence, it is possible to jump between steps for partial actions in the spirit of agile project management:

STEP 1: IDENTIFICATION OF ALL AMENDED AND NEW RULES.

All new legal requirements that address your enterprise should be collected and compiled in a comprehensive list. As EU telecommunications law is broadly harmonized, it is not necessary to analyse each national law in total. Instead, we recommend analyses of the relevant EU directives, in particular the EECC and the ePrivacy Directive, as a starting point.

Practical advice: The identification of the provisions applicable to OTT providers has its pitfalls. The EECC distinguishes between several addressees. OTT providers are defined as number-independent interpersonal communications service. However, provisions that address seemingly other services may be of relevance as well. While, e.g., internet access services or M2M services are obviously exclusive to OTT services, electronic communications services and interpersonal communications service are merely broader terms that include OTT services amongst others. All provisions that address the latter are, thus, of relevance for OTT service providers.

National telecommunications laws have both adopted the European directives and supplemented them. To the extent of the latter, each national law, thus, requires an individual analysis.

Practical advice: To create a time-efficient approach, a comprehensive analysis of each national law can be bypassed. To do so, the relevant gaps in European law should be identified first, which can then be specifically filled under the respective national law. The need for national supplement is created in two ways:
a) Some provisions expressly leave leeway to national legislators. E.g. article 29 para. 1 of the EECC merely states that penalties shall be “appropriate, effective, proportionate and dissuasive” and leaves the specifics to the member states.
b) Some areas of law are excluded from the EECC completely. This particularly pertains to public security, including OTT providers’ obligations to cooperate with national prosecution and other security services.

STEP 2: TRANSLATION OF EACH NEW RULE INTO AN ACTUAL TARGET.

Each abstract legal requirement should be translated into a specific measure or a set of measures to be implemented. Such measures can have various characteristics and may include:
a) one-time measures (e.g., the revision and drafting of new contractual and other documents or the review and revision of service security),
b) the establishment of new internal processes and responsibilities (e.g., a process for the identification of security incidents and the corresponding notification of the respective national regulatory authority (NRA) as well as customers),
c) monitoring of regulatory activities of the EU commission, the NRAs and other relevant authorities, or
d) trainings to embed relevant knowledge in the company (e.g., training of staff on new processes; creation of awareness for new legal recourse options).

Practical advice: Some measures and processes may be subject to deviating requirements in EU member states as national legislators may make use of their national scope in different ways. However, a generalizing approach can still be taken by taking account of the most stringent requirements throughout all legislations. Naturally, the advantages of simplification must be considered against possible higher costs and other disadvantages in each case.

STEP 3: DETERMINE THE INTERNAL STATUS QUO AND COMPARE IT WITH THE IDENTIFIED TARGETS.

By determining the internal status quo, this step creates the counter basis to the requirements identified under steps one and two. Therefore, it should be equally detailed as the list of the targets.

Practical advice: At best, process documentations that already exist can be consulted.
Conducting the comparison between the status quo and the targets is the gap analysis in a narrower sense. The required compliance measures and the current internal processes and organizational structures are put next to each other to identify the necessary changes.
The necessary measures to be taken should largely follow from the translation of the legal requirements into actual targets carried out under step two. This step concludes the review process and leads to the implementation process.

STEP 4: PREPARATION OF THE IMPLEMENTATION PROCESS.

When you reach this step, the review process has been completed. While steps 1 to 5 consist primarily of legal work, this step is mainly characterized by project organization and coordination. To allow for a time-efficient implementation process, we recommend to:

thematically bundle the necessary compliance measures,
allocate personal responsibilities, and
prepare a time-based implementation concept, in particular by definition of milestones.

Practical advice: Where time is of the essence, prioritisation is inevitable. To determine the most urgent measures to be taken and reduce liability risks efficiently, analyse the possible penalties for non-compliance with respect to each identified gap.
Furthermore, making use of the experienced external support can significantly increase the efficiency of the implementation process by making use of established best practices.

STEP 5: IMPLEMENTATION OF THE MEASURES AND REGULAR REVIEW OF THE MILESTONES REACHED.

Congratulations! By implementation of the required measures, you take the final step to achieve your enterprise’s compliance.

Please note, however, that continuous compliance requires the ongoing monitoring of possible changes to the current legal regime. This aspect is of particular importance in the telecommunications sector as the involvement of the national regulatory authorities leads to continuous regulatory activities.

Practical advice: To save unnecessary costs, a centralised approach to monitoring legal and regulatory activities is highly recommended. This can be done by a business association. Alternatively, such monitoring can be outsourced to an external legal service provider.